Action1 has added threat actor filtering technology to its cloud-based RMM platform in a bid to make using a legitimate IT management solution for illegitimate purposes harder for cybercriminals.
The new feature employs artificial intelligence to identify and deactivate new accounts setup by hackers intent on using Action1’s software to attack vulnerable end users. That’s work the company has been performing manually until now whenever someone happened to notice its solution being used as a weapon instead of a tool.
“We saw that a few times and we would disable those accounts,” says Mike Walters, Action1’s vice president of vulnerability and threat research. “In certain cases, we even got contacted by law enforcement.”
The new functionality uses artificial intelligence to eliminate weaponized accounts automatically following anomalous behavior indicative of malicious activity. “It’s not always obvious,” Walters says. “Something that looks legitimate may not be legitimate and vice versa too.”
Examples of usually illegitimate activity include someone setting up an Action1 account minutes after creating the associated admin email domain, or deploying agents on 100 endpoints in 100 different Active Directory domains. “That’s not a typical situation even for an MSP who has multiple clients,” Walters notes.
Other signs of software misuse include regularly deleting all of the endpoints in an account and replacing them with a completely new set of devices, something a human monitor could easily miss, Walters says. “This is actually where some sort of AI-based detection was needed,” Walters notes. “It requires some pattern watching.”
The new feature archives information about the accounts it disables in case investigators could benefit from it later. Some 23,900 people reported losses topping $347 million in 2021 due to tech support scams, according to the FBI. That’s a 137% increase from the previous year.
Though not on Action1’s roadmap yet, a feature that would use AI to spot anomalous activity in legitimate but breached accounts used by MSPs is under consideration for future release.
Platform security is one of the main topics MSPs ask about when evaluating Action1’s product, Walters notes, thanks to widely reported attacks on management software from SolarWinds, Kaseya, and others. Research published by Action1 in June found that 23% of SMBs worldwide are looking to replace their current IT provider, and that failure to respond to incidents in a timely manner is one of the top three reasons why.
Like other RMM vendors, Action1 has made shielding its software from assault a top design priority. The system whitelists user IP addresses, supports role-based access privileges, and mandates use of multifactor authentication at logon. “You cannot even create an Action1 account without enabling an MFA mechanism,” Walters says.
Walters hopes to see more RMM vendors roll out tools for blocking illegitimate users like its threat actor filtering feature, noting that attackers unsuccessful at creating an account with Action1 will otherwise simply move on to less carefully protected platforms. “It has to be something that many other vendors become concerned about,” he says.
Action1 was co-founded in 2018 by Walters and CEO Alex Vovk, who co-founded data security vendor Netwrix before that. Private equity investor TA Associates bought a majority stake in Netwrix in 2020.
ChannelPro included Action1 on this year’s list of lesser known, up-and-coming “vendors on the vanguard.”